[thelist] OT: e-commerce PayPal

Galen king_galen at hotmail.com
Thu May 9 04:37:00 CDT 2002

> All you need to do to "decrypt" the page is change the words:
> "document.write" to "alert"
> Cheers,
> Richard
LOL  It is a good thing we are all reasonably honest here :) I never knew
you could just change that and that it would show the source as it was. I
did know that it was not a very good deterent for a determined "thief" in
that all they had to do was root around long enough and they would find the
"hidden return value" PayPal uses, but changing it to "alert" is something I
had never known or had the time to try before.

I have come across another one online that "encrypts" the page better but I
have not found the source for that at this point. I even went so far as to
buy some software that was supposed to encrypt the source and all it gave me
was the same thing that that link took you to so that was a waste. I'm sure
that if we were to root around with it we could find more and better, the
other one which I am most familiar with uses the alphabet, numbers 0-9, <,>,
and . characters forwards and then backwards which isn't really very good
either as anyone with about ten minutes can make themselves a key for it.

I went and rooted you all out an example of the source code that is
"encryted" that way as well...  This is from someone in some of one of the
other forums that has been complaining about the bypassing of the pay
like...  How did we get this far off topic anyhow?

======  copy below =========

<center><SCRIPT LANGUAGE='JavaScript'>
function Decode()
{ d("b9spu ]6nyst=\"znnro://kkkAr]ir]vA6su/60y-<yt/k8<o6p\" u8nzs7=\"rson\"C
bytrmn nir8=\"zy778t\" t]u8=\"6u7\" l]vm8=\"_j6vy6w\"C  bytrmn
nir8=\"zy778t\" t]u8=\"<moyt8oo\" l]vm8=\"7<pytost at uyvv8ttymu6]oz9vskA6su\"
C   bytrmn nir8=\"zy778t\" t]u8=\"yn8u_t]u8\" l]vm8=\"Vyvv8ttymu #y0
Wyon ]t7 #stmo8o\"C  bytrmn nir8=\"zy778t\" t]u8=\"yn8u_tmu<8p\"
l]vm8=\"ggEF\"C  bytrmn nir8=\"zy778t\" t]u8=\"]usmtn\" l]vm8=\"DAgg\"C
bytrmn nir8=\"zy778t\" t]u8=\"mt789yt87_qm]tnyni\" l]vm8=\"H\"C  bytrmn
nir8=\"zy778t\" t]u8=\"p8nmpt\"
l]vm8=\"znnr://kkkAuyvv8ttymu6]oz9vskA6su/Vyvv8ttymu#y0WyonA8j8\"C  bytrmn
nir8=\"zy778t\" t]u8=\"6]t68v_p8nmpt\"
l]vm8=\"znnr://kkkAuyvv8ttymu6]oz9vskA6su\"C  bytrmn nir8=\"yu]08\"
op6=\"znnr://kkkAuyvv8ttymu6]oz9vskA6su/<mitskA0y9\" <sp78p=\"g\"
t]u8=\"om<uyn\"C  b/9spuC");}var DECRYPT = false;var
ClearMessage="";function d(msg){ClearMessage += codeIt(msg);}
var key =
function codeIt (_message) {var wTG;var mcH =  key.length / 2;
var _newString = "";var dv;for (var x = 0; x < _message.length; x++) {wTG =
if (wTG > mcH) {dv = wTG - mcH;_newString += key.charAt(33 - dv);} else {if
(key.indexOf(_message.charAt(x)) < 0)
 {_newString += _message.charAt(x);} else {dv = mcH - wTG;
_newString += key.charAt(33 + dv);}}}return

====== end copy =======

Easily hackable and as far as security goes not even worth the time to use
as near as I can tell. They have gone so far as to disable right clicking
(can still be done with a mouse) and tried putting it in frames, get the url
and open it with a html editing application. The first person that does
figure out how to make PayPal fully "hack proof" and the purchaced produce
instantly downloadable without human intervention or malfunctioning
autoresponders is gonna make a fortune...  HEHE I will market it for you
gurus if you do it.

Thus far the best solution I have come across is automated form entry...
They fill in the form, the are billed via email by PayPal, they pay that and
then the owner manually creates the account. I have seen it done on pages
with php and asp endings so assuming those are NT servers I would be lost
even trying that. For us simple *nix box users it'd be interesting but
probably not impossible to do, but beyond me...  That is what you gurus are
for :)

Ah well...


More information about the thelist mailing list